The other shoe fell today for DSW, the national footwear discounter that admitted
in March that hackers accessed more than three months’ worth of customer
In a settlement with the Federal Trade Commission (FTC), DSW agreed to
implement a comprehensive security plan and to obtain independent audits by
a third-party security firm every other year for 20 years.
The security program must include administrative, technical and physical
Until at least March of this year, the FTC claims, DSW engaged in a number
of practices that, taken together, failed to provide reasonable and
appropriate security for sensitive customer information.
The FTC said DSW’s failure to secure customers’ sensitive data constituted
an unfair trade practice, because it caused substantial injury that was not
unreasonably avoidable by consumers. The FTC further charged that offsetting
benefits to consumers, such as credit, debit and check approvals, did not
outweigh the consumer injuries.
According to the FTC, the DSW security lapse compromised 1.4 million
customer credit and debit cards and 96,000 checking accounts. The FTC said
that there have been fraudulent charges on some of the compromised accounts.
The FTC said DSW’s exposure for losses related to the breach ranges from
$6.5 million to $9.5 million.
As outlined in the FTC complaint, DSW uses computer networks to obtain
authorization for credit card, debit card and check purchases at its stores
and to track inventory. Columbus, Ohio-based DSW operates approximately 190
stores in 32 states. In 2004, the company generated $961 million in net
sold approximately 23.7 million pairs of shoes.
For credit and debit card purchases, DSW collects information including the
card number and expiration date from the magnetic stripe on the back of the
cards. This magnetic stripe information is a particularly sensitive security
matter, because it contains a code that can be used to create counterfeit
cards that appear genuine in the authorization process.
For check purchases, DSW collects information such as the routing number,
account number, check number and the consumer’s driver’s license number and
state. In each case, the information was wirelessly transmitted to a
computer network located in the store.
From there, the data was sent to the appropriate bank or check processor.
The poor security procedures the FTC claims DSW practiced included creating
unnecessary risks to sensitive information by storing it in multiple files
when it no longer had a business need to keep the information, and storing
the data in unencrypted files that could be easily accessed using a commonly
known user ID and password.
Among other lax practices cited by the FTC was failing to use readily
available security measures to limit access to its computer networks through
wireless access points on the networks.